From 0f171377e5533041079eb1c182ea60baf6efadbf Mon Sep 17 00:00:00 2001 From: Benjamin Thomas Schwertfeger Date: Sat, 4 Jul 2026 08:36:11 +0200 Subject: [PATCH 1/5] Pin GitHub Actions to commit SHAs and add Harden Runner in audit mode --- .github/workflows/_build.yaml | 8 +++++++- .github/workflows/_build_doc.yaml | 7 +++++++ .github/workflows/_codeql.yaml | 12 ++++++++--- .github/workflows/_pre_commit.yaml | 6 ++++++ .github/workflows/_test.yaml | 6 ++++++ .github/workflows/cicd.yaml | 20 +++++++++++++++---- .../workflows/dependabot_auto_approve.yaml | 8 +++++++- .github/workflows/scorecard.yml | 6 ++++++ 8 files changed, 64 insertions(+), 9 deletions(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index c8bb409..62a3444 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -26,6 +26,12 @@ jobs: Build: runs-on: ${{ inputs.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: @@ -72,7 +78,7 @@ jobs: run: python -m build - name: Store the distribution packages - uses: actions/upload-artifact@v7.0.1 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # upload artifacts with the oldest supported version if: runner.os == 'linux' && inputs.python-version == '3.9' with: diff --git a/.github/workflows/_build_doc.yaml b/.github/workflows/_build_doc.yaml index dc4dbe2..39f0865 100644 --- a/.github/workflows/_build_doc.yaml +++ b/.github/workflows/_build_doc.yaml @@ -25,6 +25,13 @@ jobs: Build: runs-on: ${{ inputs.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + # sudo is required by the "Install dependencies" step below (apt-get pandoc) + disable-sudo: false + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 diff --git a/.github/workflows/_codeql.yaml b/.github/workflows/_codeql.yaml index 1ec1dcc..6168e30 100644 --- a/.github/workflows/_codeql.yaml +++ b/.github/workflows/_codeql.yaml @@ -38,12 +38,18 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4.36.2 + uses: github/codeql-action/init@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 with: languages: python # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +62,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4.36.2 + uses: github/codeql-action/autobuild@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 # â„šī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -69,6 +75,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4.36.2 + uses: github/codeql-action/analyze@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 with: category: "/language:python" diff --git a/.github/workflows/_pre_commit.yaml b/.github/workflows/_pre_commit.yaml index 2208574..9102684 100644 --- a/.github/workflows/_pre_commit.yaml +++ b/.github/workflows/_pre_commit.yaml @@ -18,6 +18,12 @@ jobs: Pre-Commit: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 diff --git a/.github/workflows/_test.yaml b/.github/workflows/_test.yaml index b301f49..9f9fd62 100644 --- a/.github/workflows/_test.yaml +++ b/.github/workflows/_test.yaml @@ -33,6 +33,12 @@ jobs: OS: ${{ inputs.os }} PYTHON: ${{ inputs.python-version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml index ffd7e4d..854abc1 100644 --- a/.github/workflows/cicd.yaml +++ b/.github/workflows/cicd.yaml @@ -103,14 +103,20 @@ jobs: name: testpypi url: https://test.pypi.org/p/python-cmethods steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Download all the distributions - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: python-package-distributions path: dist/ - name: Publish package distributions to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: repository-url: https://test.pypi.org/legacy/ @@ -138,13 +144,19 @@ jobs: name: pypi url: https://pypi.org/p/python-cmethods steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Download all the distributions - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: python-package-distributions path: dist/ - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: repository-url: https://upload.pypi.org/legacy/ diff --git a/.github/workflows/dependabot_auto_approve.yaml b/.github/workflows/dependabot_auto_approve.yaml index 50d8862..cd2886f 100644 --- a/.github/workflows/dependabot_auto_approve.yaml +++ b/.github/workflows/dependabot_auto_approve.yaml @@ -22,9 +22,15 @@ jobs: runs-on: ubuntu-latest if: ${{ github.actor == 'dependabot[bot]' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v3.1.0 + uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Approve a PR diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9f9b7e4..bbc9f11 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,12 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: From ffd5d46efead44f8941678f70511a9755c99fa5f Mon Sep 17 00:00:00 2001 From: Benjamin Thomas Schwertfeger Date: Sat, 4 Jul 2026 08:47:25 +0200 Subject: [PATCH 2/5] Switch Build job Harden Runner to block mode with observed egress --- .github/workflows/_build.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index 62a3444..1dce455 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -30,7 +30,11 @@ jobs: uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 From e6edd20522ccbac401e8225bfe5d277ac369d1ed Mon Sep 17 00:00:00 2001 From: Benjamin Thomas Schwertfeger Date: Sat, 4 Jul 2026 08:53:58 +0200 Subject: [PATCH 3/5] configure block --- .github/workflows/cicd.yaml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml index 854abc1..f964568 100644 --- a/.github/workflows/cicd.yaml +++ b/.github/workflows/cicd.yaml @@ -107,7 +107,17 @@ jobs: uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + fulcio.sigstore.dev + ghcr.io + github.com:443 + pkg-containers.githubusercontent.com:443 + rekor.sigstore.dev + test.pypi.org + tuf-repo-cdn.sigstore.dev + uploads.github.com:443 - name: Download all the distributions uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -148,7 +158,18 @@ jobs: uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + fulcio.sigstore.dev + ghcr.io + github.com:443 + pkg-containers.githubusercontent.com:443 + pypi.org + rekor.sigstore.dev + tuf-repo-cdn.sigstore.dev + upload.pypi.org + uploads.github.com:443 - name: Download all the distributions uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 From 37968f83ff7ad09cca933d78e246abbd1a2b3bd3 Mon Sep 17 00:00:00 2001 From: Benjamin Thomas Schwertfeger Date: Sat, 4 Jul 2026 09:28:28 +0200 Subject: [PATCH 4/5] configure audit --- .github/workflows/_build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index 1dce455..7b4faf8 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -30,7 +30,7 @@ jobs: uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: true - egress-policy: block + egress-policy: audit allowed-endpoints: > files.pythonhosted.org:443 github.com:443 From 7bf317963cf1d20a1c36b38d360a2f51f7ca9613 Mon Sep 17 00:00:00 2001 From: Benjamin Thomas Schwertfeger Date: Sat, 4 Jul 2026 09:36:28 +0200 Subject: [PATCH 5/5] configure block --- .github/workflows/_build.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index 7b4faf8..f41bc0c 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -30,11 +30,13 @@ jobs: uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: disable-sudo: true - egress-policy: audit + egress-policy: block allowed-endpoints: > + api.github.com files.pythonhosted.org:443 github.com:443 pypi.org:443 + release-assets.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0